Skip to content

cdkrot/ptrace-sandbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

50 Commits
doc
doc
 
 
res
res
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README
README
 
 
build
build
 
 
modules.list
modules.list
 
 

Repository files navigation

Sandboxing-related stuff, Proof-of-concept for ejudge and not only
==================================================================

Demos to test on
================

* aplusb, read two numbers from file, write sum to other, c++.
* return-minus-1-c, return -1, c.
* return-1-cpp, return +1, c++.
* return-0-noglibc, return 0, no system calls performed, asm.
* hello, Guess what, c.
* hello32, Same, but uses 32 bit ABI.
* malloc, just eats a large bite of memory, c.
* million-of-mmaps, guess what it does, c.

Requirements
============

* Linux kernel and gnu libc, recent enough.
* procfs enabled in kernel (for kernel-module-assisted sandboxing).
* ptrace enabled in kernel (for ptrace-based sandboxing).
* At the moment only x86_64 architecture supported.

Old research (Ptrace-based sanboxing).
======================================

Ptrace is mechanism used by debuggers to supervise program execution and modify it in runtime

Research Results:

+ Sandboxing via it is pretty much possible
+ It is completely user space (uses only external kernel api)
- Requires linux
- Pretty tricky in implementation.
- requires to implement architecture related code (so we only implemented x86_64).
- Can be slow, while not affecting user space execution, sys call are slowed down up to 70 times(!)

Available demos:

* newdetect, program similar to strace, but not too pretty, more or less complete implementation of ptrace protocol for x86_64.
* trace_simple, minimalistiс (and incomplete) ptrace protocol implementation, mostly for benchmarking.

Next-gen sandboxing via kernel module
=====================================

We decided to write kernel module to make sandboxing really fast, it is W.I.P.

How to reportbug
================

Please include in your report:

* Linux kernel version
* Gnu libc version
* Your architecture (example: x86_64, x86, Sparc, ...)
* strace and newdetect logs on demo programs (aplusb, return-0-noglibc, return-minus-1-c will be enough).

Building
========

Use "./build all" from project root.
You may also want try "./build --help"

For deeper building explanations see doc/building.txt

About

Ptrace-based sandboxing and stracing efforts

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages